doorkeeper_sso 0.0.3 → 0.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9a72ba42e597b0094dc11ac27a6e9c31f291fd77
-  data.tar.gz: d7422ffed6ac7e4b667a0e9fa32891f9c44de82b
+  metadata.gz: 1325cddaeea3ad9c0db0f7421de65c7d671f4e90
+  data.tar.gz: f0c5fe37e55ee02487802801fda7c05ff6a9e679
 SHA512:
-  metadata.gz: cf76b6854206fdb5e9bd4bf7f33b4462c000e14c6a3de190d5094b1e7cc27dd8bc3f6175dad95cab420f7b8fc3857bf84b94c8e9ffb6f29f5782e0996b9b485d
-  data.tar.gz: 6c7fdb681c58345c65d8a822d51adccc38a4b6a47a8766985fe648fc95e828a62022d2a80f453cb2a451a1b3387420d6a5a8fc1539a69ab2da9a4b9c6f2b40f1
+  metadata.gz: 35345790590a3d6a0a534ae30dd7717793ef3cf12036f6baf0780ebb03c014ec51110aa97574ed7ff7e299eacfb82afa4dca32fb4e772dd8131a48655788221b
+  data.tar.gz: 0da08dc94ecc077d572615e0dbf0ff0194529cd4dc5a57f23be4b4fb7d835e7352ab40f74acc61abd9fe0151e27d2591472049b19331aa6f8b067d47897491b6

data/Rakefile

@@ -1,26 +1,27 @@
+#!/usr/bin/env rake
 begin
   require 'bundler/setup'
 rescue LoadError
   puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
 end
+Bundler.require :default, :test
 
-require 'rdoc/task'
-
-RDoc::Task.new(:rdoc) do |rdoc|
-  rdoc.rdoc_dir = 'rdoc'
-  rdoc.title    = 'Sso'
-  rdoc.options << '--line-numbers'
-  rdoc.rdoc_files.include('README.rdoc')
-  rdoc.rdoc_files.include('lib/**/*.rb')
+require 'rake'
+task :environment do
+  Combustion.initialize!
 end
+Combustion::Application.load_tasks
 
 APP_RAKEFILE = File.expand_path("../spec/test_app/Rakefile", __FILE__)
 load 'rails/tasks/engine.rake'
+require "rspec/core/rake_task"
 
+Bundler::GemHelper.install_tasks
 
-load 'rails/tasks/statistics.rake'
-
-
+task :default => :spec
 
-Bundler::GemHelper.install_tasks
+# RSpec::Core::RakeTask.new(:spec) do |spec|
+#   spec.pattern = 'spec/**/*_spec.rb'
+#   # spec.rspec_opts = ['-cfs --backtrace']
+# end
 

data/app/controllers/application_controller.rb

@@ -0,0 +1,3 @@
+class ApplicationController < ActionController::Base
+
+end

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -0,0 +1,18 @@
+module Doorkeeper
+  class AuthorizationsController < Doorkeeper::ApplicationController
+
+    after_action :after_grant_create, only: [:new, :create]
+
+  protected
+
+    def after_grant_create
+      Rails.logger.info "AuthorizationsController#Create : after_action"
+      code_response = authorization.instance_variable_get("@response")
+      if code_response
+        warden_session = session["warden.user.user.session"]
+        Rails.logger.debug "Sso::Session.update_master_with_grant - #{warden_session["sso_session_id"].inspect}, #{code_response.auth.token.inspect}"
+        Sso::Session.update_master_with_grant(warden_session["sso_session_id"], code_response.auth.token)
+      end
+    end
+  end
+end

data/app/controllers/doorkeeper/tokens_controller.rb

@@ -0,0 +1,39 @@
+module Doorkeeper
+  class TokensController < Doorkeeper::ApplicationMetalController
+    include AbstractController::Callbacks
+
+    after_action :after_token_create, only: :create
+
+  protected
+
+    def after_token_create
+      Rails.logger.info "TokensController#Create : after_action"
+      handle_authorization_grant_flow
+    end
+
+    def handle_authorization_grant_flow
+      # We cannot rely on session[:sso_session_id] here because the end-user might have cookies disabled.
+      # The only thing we can rely on to identify the user/Passport is the incoming grant token.
+      Rails.logger.debug { %(Detected outgoing "Access Token" #{outgoing_access_token.inspect}) }
+      if sso_session = Sso::Session.update_master_with_access_token(grant_token, outgoing_access_token)
+        Rails.logger.debug "::Sso::Session.register_access_token success for access_token: #{outgoing_access_token}"
+      else
+        Rails.logger.debug "::Sso::Session.register_access_token failed. #{sso_session.errors.inspect}"
+        warden.logout
+      end
+    end
+
+    def grant_token
+      params["code"]
+    end
+
+    def grant_type
+      params["grant_type"]
+    end
+
+    def outgoing_access_token
+      @response_hash ||= JSON.parse(response.body)
+      @response_hash["access_token"]
+    end
+  end
+end

data/app/controllers/sso/sessions_controller.rb

@@ -0,0 +1,29 @@
+class Sso::SessionsController < ApplicationController
+
+  before_action :authenticate_user!, only: :show
+  before_action :doorkeeper_authorize!, only: :create
+  before_action :find_user, only: :create
+
+  # TODO: Security issue?
+  protect_from_forgery with: :null_session
+
+  respond_to :json
+
+  # Returns a 200 if access is granted
+  def show
+    render :nothing => true
+  end
+
+  # Generate an SSO:Session
+  def create
+    @session  = Sso::Session.generate(@user, doorkeeper_token, params )
+    respond_with @session, :location => sso.sessions_url
+  end
+
+  protected
+
+  def find_user
+    @user = User.find(doorkeeper_token.resource_owner_id)
+  end
+
+end

data/app/middleware/sso/access_token_marker.rb

@@ -0,0 +1,103 @@
+# app/middleware/sso/access_token_marker.rb
+# Middleware that catches outgoing Doorkeeper access tokens
+
+module Sso
+  class AccessTokenMarker
+
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      @env = env
+      @request = ::ActionDispatch::Request.new @env
+      @response = @app.call @env
+
+      return response unless request.method == 'POST'
+      return response unless authorization_grant_flow? || password_credential_flow?
+      return response unless response_code == 200
+      return response unless response_body
+      return response unless outgoing_access_token
+
+      if authorization_grant_flow?
+        Rails.logger.debug { %{Detected outgoing "Access Token" #{outgoing_access_token.inspect} of the "Authorization Code Grant" flow (belonging to "Authorization Grant Token" #{grant_token.inspect}). Augmenting related Passport with it.} }
+        registration = ::Passports.register_access_token grant_token: grant_token, access_token: outgoing_access_token
+
+        if registration.failure?
+          Rails.logger.warn { "The passport could not be augmented. Destroying warden session." }
+          warden.logout
+        end
+
+      elsif password_credential_flow?
+        Rails.logger.debug { %{Detected outgoing "Access Token" #{outgoing_access_token.inspect} of the "Resource Owner Password Credentials Grant" flow. Generating new Passport with it.} }
+        generation = ::Passports.generate_with_access_token access_token_string: outgoing_access_token, ip: request.ip, agent: request.user_agent
+
+        if generation.failure?
+          Rails.logger.warn { "The passport could not be generated. Destroying warden session." }
+          warden.logout
+        end
+
+      else
+        fail NotImplementedError
+      end
+
+      response
+    end
+
+    def request
+      @request
+    end
+
+    def response
+      @response
+    end
+
+    def response_body
+      response.last.first.presence
+      # raise response.last.inspect
+    end
+
+    def response_code
+      response.first
+    end
+
+    def parsed_response_body
+      # raise response_body.inspect
+      return unless response_body
+      ::JSON.parse response_body
+    rescue JSON::ParserError => exception
+      Trouble.notify exception
+      nil
+    end
+
+    def outgoing_access_token
+      return unless parsed_response_body
+      parsed_response_body['access_token']
+    end
+
+    def warden
+      request.env['warden']
+    end
+
+    def params
+      request.params
+    end
+
+    def authorization_grant_flow?
+      grant_token.present?
+    end
+
+    def password_credential_flow?
+      grant_type == 'password'
+    end
+
+    def grant_token
+      params['code']
+    end
+
+    def grant_type
+      params['grant_type']
+    end
+
+  end
+end

data/app/middleware/sso/authorization_grant_marker.rb

@@ -0,0 +1,87 @@
+# app/middleware/sso/authorization_grant_maker.rb
+# Middleware that catches outgoing Doorkeeper authorization grants
+
+module Sso
+  class AuthorizationGrantMarker
+
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      @env = env
+      @response = @app.call @env
+
+      return response unless outgoing_grant_token
+
+      if passport_id
+        Rails.logger.debug { %{Detected outgoing "Authorization Grant Token" #{outgoing_grant_token.inspect} of the "Authorization Code Grant" flow. Augmenting Passport #{passport_id.inspect} with it.} }
+        registration = ::Passports.register_authorization_grant passport_id: passport_id, token: outgoing_grant_token
+
+        if registration.failure?
+          Rails.logger.warn { "The passport could not be augmented. Destroying warden session." }
+          warden.logout
+        end
+      end
+
+      response
+    end
+
+    def request
+      ::ActionDispatch::Request.new @env
+    end
+
+    def response
+      @response
+    end
+
+    def code
+      response.first
+    end
+
+    def session
+      request.session
+    end
+
+    def warden
+      request.env['warden']
+    end
+
+    def passport_id
+      session['passport_id']
+    end
+
+    def location_header
+      unless code == 302
+        #logger.debug { "Uninteresting response, because it is not a redirect" }
+        return
+      end
+
+      response.second['Location']
+    end
+
+    def redirect_uri
+      unless location_header
+        #logger.debug { "Uninteresting response, because there is no Location header" }
+        return
+      end
+
+      ::URI.parse location_header
+    end
+
+    def redirect_uri_params
+      return unless redirect_uri
+      ::Rack::Utils.parse_query redirect_uri.query
+    end
+
+    def outgoing_grant_token
+      unless redirect_uri_params && redirect_uri_params['code']
+        #logger.debug { "Uninteresting response, because there is no code parameter sent" }
+        return
+      end
+
+      redirect_uri_params['code']
+    end
+
+  end
+end

data/app/middleware/sso/passport_verification.rb

@@ -0,0 +1,25 @@
+# app/middleware/sso/passport_verification.rb
+# A Middleware to verify incoming requests by client applications
+# which would like to verify the passport a user presented to them
+
+module Sso
+  class PassportVerification
+
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      request = Rack::Request.new(env)
+
+      if request.path == '/api/v1/passports/verify'
+        logger.debug { "Detected Passport verification request." }
+        env['warden'].authenticate! :passport
+      else
+        # logger.debug { "I'm not interested in this request to #{request.path}" }
+        @app.call(env)
+      end
+    end
+
+  end
+end

data/app/models/sso/session.rb

@@ -0,0 +1,137 @@
+module Sso
+  class Session < ActiveRecord::Base
+    include ::Sso::Logging
+    # FIXME: Not sure to use application or doorkeeper_application_id
+    belongs_to :application, class_name: 'Doorkeeper::Application'  #,  inverse_of: :sso_sessions
+    belongs_to :access_grant, class_name: 'Doorkeeper::AccessGrant' #, inverse_of: :sso_sessions
+    belongs_to :access_token, class_name: 'Doorkeeper::AccessToken' #, inverse_of: :sso_sessions
+    belongs_to :owner, class_name: 'User' #, inverse_of: :sso_sessions
+
+    validates :group_id, presence: true
+    validates :owner_id, presence: true
+    validates :ip, presence: true
+    validates :secret, presence: true
+    validates :access_token_id, uniqueness: { scope: [:owner_id, :revoked_at, :application_id], allow_blank: true }
+    validates :revoke_reason, allow_blank: true, format: { with: /\A[a-z_]+\z/ }
+
+    scope :active, -> { where(revoked_at: nil) }
+    scope :master, -> { where(application_id: nil) }
+
+    before_validation :ensure_secret
+    before_validation :ensure_group_id
+    before_validation :ensure_activity_at
+
+    class << self
+      def master_for(grant_id)
+        active.master.find_by!(access_grant_id: grant_id)
+      end
+
+      def generate_master(user, options)
+        relations = { owner: user }
+        attributes = ActionController::Parameters.new(options).permit(:ip, :agent, :location)
+        debug { "Sso::Session::generate_master for #{user.inspect} - #{attributes.inspect}" }
+        create!(relations.merge(attributes))
+      end
+
+      def generate(user, access_token, options = {})
+        master_sso_session = active.master.find_by!(owner_id: user.id, access_token_id: access_token.id)
+        attributes = ActionController::Parameters.new(options).permit(:ip, :agent, :location)
+        relations = { owner: user, application: access_token.application, access_token: access_token, group_id: master_sso_session.group_id }
+
+        debug { "Sso::Session::generate for #{user.inspect} - #{access_token.inspect} - #{attributes.inspect}" }
+        create!(relations.merge(attributes))
+      end
+
+      def logout(sso_session_id)
+        sso_session = find(sso_session_id)
+        group_id = sso_session.group_id
+
+        debug { "Sso::Session#logout - Revoking Session Group #{sso_session.group_id.inspect} from Session #{sso_session.id.inspect}" }
+        count = where(group_id: group_id).update_all revoked_at: Time.current, revoke_reason: "logout"
+        debug { "Successfully removed #{count.inspect} sessions." }
+        count
+      end
+
+      def update_master_with_grant(master_sso_session_id, oauth_grant)
+        master_sso_session = active.master.find(master_sso_session_id)
+
+        if master_sso_session.update_attribute(:access_grant_id, oauth_grant.id)
+          debug { "#update_master_with_grant : #{master_sso_session.id} with Access Grant ID #{oauth_grant.id} which is #{oauth_grant.token}" }
+        else
+          error { "#update_master_with_grant : FAILED to update oauth_grant" }
+        end
+      end
+
+      def update_master_with_access_token(grant_token, access_token)
+        oauth_grant  = Doorkeeper::AccessGrant.by_token(grant_token)
+        oauth_token  = Doorkeeper::AccessToken.by_token(access_token)
+        return false if oauth_token.blank? or oauth_grant.blank?
+
+        master_sso_session = active.master.find_by!(access_grant_id: oauth_grant.id)
+
+        if master_sso_session.update_attribute(:access_token_id, oauth_token.id)
+          debug { "#register_access_token : #{master_sso_session.id} with Access Token ID #{oauth_token.id} which is #{oauth_token.token}" }
+        else
+          error { "#register_access_token : FAILED to update oauth_access_token_id" }
+        end
+        master_sso_session
+      end
+    end
+
+    def create_session(token, options = {})
+      create(access_token_id)
+    end
+    # def to_s
+    #   ['Sso:Session', owner_id, ip, activity_at].join ', '
+    # end
+
+  private
+
+    def ensure_secret
+      self.secret ||= SecureRandom.uuid
+    end
+
+    def ensure_group_id
+      self.group_id ||= SecureRandom.uuid
+    end
+
+    def ensure_activity_at
+      self.activity_at ||= Time.current
+    end
+  end
+end # Sso
+
+
+# == Schema Information
+# Schema version: 20150330031153
+#
+# Table name: sso_sessions
+#
+#  id              :uuid             not null, primary key
+#  access_grant_id :integer
+#  access_token_id :integer
+#  application_id  :integer
+#  owner_id        :integer          not null
+#  group_id        :string           not null
+#  secret          :string           not null
+#  ip              :inet             not null
+#  agent           :string
+#  location        :string
+#  activity_at     :datetime         not null
+#  revoked_at      :datetime
+#  revoke_reason   :string
+#  created_at      :datetime         not null
+#  updated_at      :datetime         not null
+#
+# Indexes
+#
+#  index_sso_sessions_on_access_grant_id  (access_grant_id)
+#  index_sso_sessions_on_access_token_id  (access_token_id)
+#  index_sso_sessions_on_application_id   (application_id)
+#  index_sso_sessions_on_group_id         (group_id)
+#  index_sso_sessions_on_ip               (ip)
+#  index_sso_sessions_on_owner_id         (owner_id)
+#  index_sso_sessions_on_revoke_reason    (revoke_reason)
+#  index_sso_sessions_on_secret           (secret)
+#  one_access_token_per_owner             (owner_id,access_token_id,application_id) UNIQUE
+#

data/app/views/layouts/doorkeeper/admin.html.erb

@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta http-equiv="X-UA-Compatible" content="IE=edge">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Doorkeeper</title>
+  <%= stylesheet_link_tag "doorkeeper/admin/application" %>
+  <%= csrf_meta_tags %>
+</head>
+<body>
+<div class="navbar navbar-inverse navbar-fixed-top" role="navigation">
+  <div class="container">
+    <div class="navbar-header">
+      <%= link_to t('doorkeeper.layouts.admin.nav.oauth2_provider'), oauth_applications_path, class: 'navbar-brand' %>
+    </div>
+    <ul class="nav navbar-nav">
+      <%= content_tag :li, class: "#{'active' if request.path == oauth_applications_path}" do %>
+        <%= link_to t('doorkeeper.layouts.admin.nav.applications'), oauth_applications_path %>
+      <% end %>
+    </ul>
+  </div>
+</div>
+<div class="container">
+  <%- if flash[:notice].present? %>
+    <div class="alert alert-info">
+      <%= flash[:notice] %>
+    </div>
+  <% end -%>
+
+  <%= yield %>
+</div>
+</body>
+</html>

data/app/views/layouts/doorkeeper/application.html.erb

@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title><%= t('doorkeeper.layouts.application.title') %></title>
+  <meta charset="utf-8">
+  <meta http-equiv="X-UA-Compatible" content="IE=edge">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+
+  <%= stylesheet_link_tag "doorkeeper/application" %>
+  <%= csrf_meta_tags %>
+</head>
+<body>
+<div id="container">
+  <%- if flash[:notice].present? %>
+    <div class="alert alert-info">
+      <%= flash[:notice] %>
+    </div>
+  <% end -%>
+
+  <%= yield %>
+</div>
+</body>
+</html>

data/config/routes.rb

@@ -1,2 +1,3 @@
 Sso::Engine.routes.draw do
+  resource :sessions, :only => [:show, :create]
 end

data/db/migrate/20150414102248_create_sso_sessions.rb

@@ -0,0 +1,29 @@
+class CreateSsoSessions < ActiveRecord::Migration
+  def change
+    enable_extension 'uuid-ossp'
+
+    create_table :sso_sessions, id: :uuid do |t|
+      t.references  "access_grant", index: true
+      t.references  "access_token", index: true
+      t.references  "application",  index: true
+      t.integer  "owner_id",        null: false
+      t.string   "group_id",        null: false
+      t.string   "secret",          null: false
+      t.inet     "ip",              null: false
+      t.string   "agent"
+      t.string   "location"
+      t.datetime "activity_at",     null: false
+      t.datetime "revoked_at"
+      t.string   "revoke_reason"
+      t.timestamps
+    end
+
+    add_index :sso_sessions, [:owner_id, :access_token_id, :application_id], where: 'revoked_at IS NULL AND access_token_id IS NOT NULL', unique: true, name: :one_access_token_per_owner
+    add_index :sso_sessions, :owner_id
+    add_index :sso_sessions, :group_id
+    add_index :sso_sessions, :secret
+    add_index :sso_sessions, :ip
+    add_index :sso_sessions, :revoke_reason
+
+  end
+end

data/lib/doorkeeper_sso.rb

@@ -1 +1,4 @@
-require 'sso'
+require "sso"
+
+module DoorkeeperSso
+end

data/lib/sso/engine.rb

@@ -1,17 +1,5 @@
 module Sso
   class Engine < ::Rails::Engine
     isolate_namespace Sso
-
-    # Generators for Rspec and Fabrication
-    config.generators do |g|
-      g.test_framework  :rspec,
-                        :fixtures => true,
-                        :view_specs => false,
-                        :helper_specs => false,
-                        :routing_specs => false,
-                        :controller_specs => true,
-                        :request_specs => false
-      g.fixture_replacement :fabrication
-    end
   end
 end

data/lib/sso/logging.rb

@@ -0,0 +1,58 @@
+module Sso
+  # One thing tha bugs me is when I cannot see which part of the code caused a log message.
+  # This mixin will include the current class name as Logger `progname` so you can show that it in your logfiles.
+  #
+  module Logging
+    extend ActiveSupport::Concern
+
+    class_methods do
+      def debug(&block)
+        logger && logger.debug(progname, &block)
+      end
+
+      def info(&block)
+        logger && logger.info(progname, &block)
+      end
+
+      def warn(&block)
+        logger && logger.warn(progname, &block)
+      end
+
+      def error(&block)
+        logger && logger.error(progname, &block)
+      end
+
+      def fatal(&block)
+        logger && logger.fatal(progname, &block)
+      end
+
+      def progname
+        self.to_s
+      end
+
+      def logger
+        Rails.logger
+      end
+    end #class_methods
+
+    def debug(&block)
+      self.class.debug(&block)
+    end
+
+    def info(&block)
+      self.class.info(&block)
+    end
+
+    def warn(&block)
+      self.class.warn(&block)
+    end
+
+    def error(&block)
+      self.class.error(&block)
+    end
+
+    def fatal(&block)
+      self.class.fatal(&block)
+    end
+  end
+end

data/lib/sso/version.rb

@@ -1,3 +1,3 @@
 module Sso
-  VERSION = "0.0.3"
+  VERSION = "0.0.4"
 end